I've been searching for many hours now about a way to setup a transparent proxy for SSL (not Squid). The general answer is that I can't, but I know there are some ways, though. My purpose is only the following:

EDIT:
One person says here:
How do I use IPTABLES to create a HTTPS (443) passthrough around Squid?
"The best thing for you to do is to block direct access to port 443 and tell your users that if they want to use HTTPS, they must configure their browser to use the proxy." But I just know how to block 443 completely, not to make it work under a proxy then.

3 Answers
3

If you want to filter on domain names, you have two possible ways: you could take the name from the CONNECT method issued by the client if it knows that it has to use a proxy for HTTPS conenctions and filter on that one (Squids supports that BTW). Or, if you reallyreally need to do it transparently, you would need to look into the (encrypted) request headers.

If you want to see encrypted request headers, you need to have a key. If you want to have a key, you need a certificate which is a) trusted by the client to be the "correct" certificate and b) certifies every possible host (wildcard-everything).

So what you would need to do is

set up a certificate for your proxy. It depends on your software how to do that - you might use stunnel to terminate the SSL connection at the proxy's side, have some filtering HTTP proxy behind it and re-establish SSL for all outgoing traffic using iptables DNAT targets and stunnel again. There might be "boxed" solutions for MitM SSL proxying as well.

install the aforementioned certificate on all of your clients that are going use the proxy

Mostly, if you need transparent proxying it is because you do not want or cannot reconfigure the clients to use the proxy. If this is the case with your request as well, you probably would not have the option to install certificates on clients and mark them as "trusted". So even though there is a technical way for transparent SSL proxying, I suspect not much will be won for you.

Thank you, it does indeed, but I couldn't get it to work! It seems it needs different iptables rules than the ones for port 80, or there's some option I can't figure out for Delegate.
–
Teresa e JuniorJun 17 '11 at 4:38